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WHAT IS CLAIMED IS: 



1 1. A security policy database cache comprises: 

2 at least one primary table including signature values 

3 that indicate that a IPSec packet's security policy database 

4 (SPD) information may be in the cache; and 

5 at least one secondary table including cache entries 

6 having a selector, flags, security association (SA) 

7 information and an operation to perform on the corresponding 

8 packet for which a cache lookup was made. 

1 2. The security policy database cache of claim 1 

2 wherein the at least one primary table resides in DRAM. 

1 3. The security policy database cache of claim 1 

2 wherein the at least one secondary table resides in SDRAM. 

1 4. The security policy database cache of claim 1 

2 wherein at least one primary table and the at least one 

3 secondary table resides in the same memory. 

1 5. The security policy database cache of claim 1 

2 wherein the at least one primary table and the at least on 

3 secondary table resides in shared memory accessible by engines 

4 of a network processor. 

1 6. The security policy database cache of claim 1 

2 wherein the at least one primary table is divided into a 

3 plurality of buckets and each bucket is subdivided into bins. 

1 7 . The security policy database cache of claim 1 

2 wherein the cache has a one-to-one correlation between the at 
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3 least one primary table location and the at least one 

4 secondary table. 

1 8. The security policy database cache of claim 1 

2 wherein the signature index for the first primary table is 

3 produced using an IP selector and either a hardware hash unit 

4 or a software hashing algorithm. 

1 9. The security policy database cache of claim 8 

2 wherein the IP selector can be either IPv4 or IPv6 and 

3 includes IP destination, IP source, IP protocol, IP source 

4 port, IP destination port. 

1 10. The security policy database cache of claim 10 

2 wherein when the at least one primary table is searched for a 

3 matching signature to a packet, and if no matching signature 

4 is found, the at least one secondary table is not accessed. 

1 11. The security policy database cache of claim 10 

2 wherein when the at least one primary table is searched for a 

3 matching signature to a packet, and a matching signature is 

4 found, the at least one secondary table is accessed. 

1 12. The security policy database cache of claim 11 

2 wherein if the selector match is successful flags and SA 

3 information are returned to a requesting device. 

1 13. The security policy database cache of claim 1 

2 wherein the at least one primary table is a first one of a 

3 plurality of primary tables and the at least one secondary 

4 table is a first one of a plurality of secondary tables. 
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1 14. The security policy database cache of claim 13 

2 wherein when one of the plurality of primary tables is 

3 searched for a matching signature to a packet, and if no 

4 matching signature is found, the secondary table for the one 

5 of the plurality of primary tables is not accessed. 

1 15. The security policy database cache of claim 14 

2 wherein when one of the plurality of primary tables is 

3 searched for a matching signature to a packet, and a matching | 

4 signature is found, the secondary table for the one of the 

5 plurality of primary tables is read and a selector is compared 

6 with the selector from the packet. J 

1 16. The security policy database cache of claim 14 

2 wherein if the selector match is successful flags and security 

3 association (SA) information are returned to a requesting 

4 device. 

1 17. A method comprises: 

2 producing a signature of a packet and at least first and 

3 second indexes into corresponding first and second primary 

4 tables of a security database cache; 

5 reading contents of a bucket from a first one of the 

6 primary tables and a bucket from a second one of the primary 

7 tables to determine whether either of the buckets have 

8 contents that match to the produced signature; and for a 

9 match, 

10 determining if a selector in an entry in a secondary 

11 table matches a selector of the packet; and if a match 

12 processing according to an operation indicated by the 

13 entry. 
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1 18. The method of claim 17 wherein processing comprises, 

2 processing the packet by reading flags for the packet entry to 

3 process the packet according to the flags. 

1 19. The method of claim 17 wherein the cache uses the IP 

2 packet selector from a packet and hashing algorithm to produce 

3 the signature. 

1 20. The method of claim 17 wherein the actions taken 

2 with the packet depend on the value of the flags and include 

3 dropping the packet if the flags indicate drop, bypass, and 

4 enter a secure network. 

1 21. The method of claim 17 wherein the packets are 

2 incoming packets. 

1 22. The method of claim 17 wherein the packets are 

2 outgoing packets. 

1 23. The method of claim 17 wherein an entry is added to 

2 the security policy database cache. 

1 24. The method of claim 17 wherein if the signatures are 

2 exhausted, the method further comprises: 

3 searching a security policy database to locate the proper 

4 operation for the packet and to locate the correct security 

5 associations (Sas) to apply to the packet; and 

6 inserting the located correct SA as a cache entry into a 

7 SPD cache. 

1 25. The method of claim 17 wherein packet processing 

2 determines if the signature equals zero, and if zero, the 
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3 packet processing sets the signature to another, non-zero 

4 value. 

1 26. The method of claim 17 wherein the packet processing 

2 repeats until either all the matching signatures are exhausted 

3 or a secondary table match is found. 

1 27 . A computer program product residing on a computer 

2 readable medium for processing a packet comprises instructions 

3 to cause at least one processor to: 

4 produce a signature of a packet and first and second 

5 indexes into corresponding first and second primary tables of 

6 a security database cache; 

7 read contents of a bucket from a first one of the primary 

8 tables and a bucket from a second one of the primary tables to 

9 determine whether either of the buckets have contents that 

10 match to the produced signature; and for a match, 

11 process according to an operation indicated by the entry. 

1 28. The computer program product of claim 27 wherein 

2 processing comprises, processing the packet by reading flags 

3 for the packet entry to process the packet according to the 

4 flags. 

1 29. The computer program product of claim 27 wherein the 

2 cache uses the IP packet selector from a packet and hashing to 

3 produce the signature. 

1 30. The computer program product of claim 27 wherein the 

2 actions taken with the packet depend on the value of the flags 

3 and include dropping the packet if the flags indicate drop, 

4 bypass, and enter a secure network. 
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1 31. The computer program product of claim 27 wherein the 

2 packets are incoming packets. 

1 32. The computer program product of claim 27 wherein the 

2 packets are outgoing packets. 

1 33. The computer program product of claim 27 wherein an 

2 entry is added to the security policy database cache. 

1 34. The computer program product of claim 27 wherein if 

2 all of the signatures are exhausted, the computer program 

3 product of claim 27 further comprises instructions to: 

4 searching a security policy database to locate the proper 

5 operation for the packet and to locate the correct security 

6 associations (Sas) to apply to the inbound IPsec packet; and 

7 inserting the located correct SA as a cache entry into a 

8 SPD cache. 

1 35. The computer program product of claim 27 wherein 

2 packet processing determines if the signature equals zero, and 

3 if zero, the packet processing sets the signature to another, 

4 non-zero value. 

1 36. The computer program product of claim 27 wherein the 

2 packet processing repeats until either all the matching 

3 signatures are exhausted or a secondary table match is found. 

1 37. A network forwarding device comprising: 

2 at least one physical interface; 

3 a framer; 

4 a network processor; 
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5 security policy database cache to provide data to the 

6 network processor when processing packets, the security policy 

7 database including: 

8 at least one primary table including signature 

9 values that indicate that a packet's SPD information may 

10 be in the cache; and 

11 at least one secondary table including cache entries 

12 having a selector, flags, SA information and an operation 

13 to perform on the corresponding packet for which a cache 

14 lookup was made; and 

15 a switch fabric. 

1 38. The device of claim 37 wherein the interface is a 

2 media access controller device. 

1 39. The device of claim 37 further comprising SDRAM 

2 storing the at least one secondary table. 

1 40. The device of claim 37 further comprising SRAM 

2 storing the at least one primary table. 

1 41. The device of claim 37 further comprising local 

2 memory to store the at least one primary table. 

1 42. The device of claim 37 further comprising scratchpad 

2 memory to store the at least one primary table. 
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